Overview

overview

10

Static

static

8184432307...le.exe

windows7_x64

10

8184432307...le.exe

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    188s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    26-07-2021 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8184432307b0f546d168e3e386a20999f5b0de0bd4085753bb2b09cfc7fec071.sample.exe

  • Size

    276KB

  • MD5

    6bfa1c01c3af6206a189b975178965fe

  • SHA1

    260dd322089862a5400a00dbcb35774b66ce2d47

  • SHA256

    8184432307b0f546d168e3e386a20999f5b0de0bd4085753bb2b09cfc7fec071

  • SHA512

    f518f82554b7a4d6c14655cd980ab710e08c20b3efb2979e39429c44cdf85f66f6db2021bd4758ec6cdcfa4c89fe3224628198094888adc4af243d17c730ddf8

Score
10/10
persistenceransomwarespywarestealersuricata

Malware Config

Extracted

Path

C:\Documents and Settings\-!RecOveR!-ibefa++.Txt

Ransom Note
+639/8;4,&&2;9!/) 0?< 5'"3*;%8* ------- +639/8;4,&&2;9!/) 0?< 5'"3*;%8* NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA-4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) +639/8;4,&&2;9!/) 0?< 5'"3*;%8* ------- +639/8;4,&&2;9!/) 0?< 5'"3*;%8* What exactly that means? It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is a possibility to restore them with our help . What exactly happened to your files ??? !!! Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. !!! All your data and files were encrypted by the means of the public key , which you received over the web . !!! In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. +639/8;4,&&2;9!/) 0?< 5'"3*;%8* ----- +639/8;4,&&2;9!/) 0?< 5'"3*;%8* !!! What should you do next ??? In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://74bfc.flubspiel.com/52C28F7421287E23 http://ibf4d.ukegaub.at/52C28F7421287E23 http://k3cxd.pileanoted.com/52C28F7421287E23 If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download and Install TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Run TOR Browser Insert link in the address bar: xzjvzkgjxebzreap.onion/52C28F7421287E23 +639/8;4,&&2;9!/) 0?< 5'"3*;%8*----IMPORTANT*****************INFORMATION---------+639/8;4,&&2;9!/) 0?< 5'"3*;%8* Your personal homepages http://74bfc.flubspiel.com/52C28F7421287E23 http://ibf4d.ukegaub.at/52C28F7421287E23 http://k3cxd.pileanoted.com/52C28F7421287E23 Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/52C28F7421287E23 Your personal ID 52C28F7421287E23 +639/8;4,&&2;9!/) 0?< 5'"3*;%8* +639/8;4,&&2;9!/) 0?< 5'"3*;%8* +639/8;4,&&2;9!/) 0?< 5'"3*;%8*
URLs

http://74bfc.flubspiel.com/52C28F7421287E23

http://ibf4d.ukegaub.at/52C28F7421287E23

http://k3cxd.pileanoted.com/52C28F7421287E23

http://xzjvzkgjxebzreap.onion/52C28F7421287E23

Signatures

  • suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8184432307b0f546d168e3e386a20999f5b0de0bd4085753bb2b09cfc7fec071.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\8184432307b0f546d168e3e386a20999f5b0de0bd4085753bb2b09cfc7fec071.sample.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Users\Admin\Documents\fgxunalidwhx.exe
      C:\Users\Admin\Documents\fgxunalidwhx.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1364
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:584
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\-!RecOveR!-ibefa++.Txt
        3⤵
          PID:928
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\-!RecOveR!-ibefa++.Htm
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2040
        • C:\Windows\System32\vssadmin.exe
          "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:208
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\818443~1.EXE >> NUL
        2⤵
        • Deletes itself
        PID:864
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:760
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1088

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1088-80-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1088-75-0x00000000000B0000-0x00000000000B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1364-71-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

      Download

    • memory/1528-79-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1840-60-0x0000000075551000-0x0000000075553000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1840-63-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-62-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

      Download

    • memory/1840-61-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

      Download